Key Procedures Management Policy

Purpose:

The purpose of this policy is to establish guidelines for the management, distribution, and protection of cryptographic keys used in securing Pitaka’s systems and data. This ensures that key management practices are in compliance with Philippine regulations and industry best practices, such as those outlined in the Data Privacy Act of 2012.

Scope:

This policy applies to all employees, contractors, and third-party service providers who manage, distribute, or use cryptographic keys within the Pitaka platform.

Policy

1. Key Generation:

Cryptographic keys used within Pitaka must be generated using secure, approved algorithms that adhere to industry standards. Key generation must occur within a secure, controlled environment to prevent unauthorized access or tampering. All cryptographic algorithms, key lengths, and cryptographic modules must be approved by the IT security team and comply with legal and regulatory requirements.

2. Key Storage:

Cryptographic keys must be stored in a secure manner, such as using a Hardware Security Module (HSM) or secure key management software. Access to key storage systems must be limited to authorized personnel and require multi-factor authentication (MFA). Keys stored in software must be encrypted, and any backups of cryptographic keys must also be securely stored and protected.

3. Key Distribution:

Keys must be distributed using secure channels to prevent unauthorized access or interception during transmission. The use of encryption, secure transport mechanisms such as TLS, or other secure methods must be implemented for key distribution. Distribution of cryptographic keys must be logged and monitored to ensure accountability.

4. Key Usage:

Cryptographic keys must only be used for their intended purpose and within approved applications or systems. Access to keys will be granted based on the principle of least privilege, ensuring that users and systems only have the necessary permissions to use the keys. Any misuse or unauthorized use of cryptographic keys must be reported immediately, and corrective measures must be taken to mitigate risks.

5. Key Rotation and Expiration:

Cryptographic keys must be rotated periodically to reduce the risk of key compromise. Key rotation intervals will be defined based on the criticality of the key and the associated risks. Expired keys must be securely removed from the system and replaced with new keys. Access to expired keys must be revoked. Any key compromised or suspected of being compromised must be replaced immediately, and all affected systems and data must be re-secured.

6. Key Revocation and Destruction:

Cryptographic keys must be revoked when they are no longer needed, when an employee leaves the organization, or when a key is compromised. Revoked keys must be securely destroyed in a manner that ensures they cannot be recovered or reused. Documentation of key revocation and destruction must be maintained, including the rationale for the revocation and the methods used for destruction.

7. Key Backup and Recovery:

Cryptographic keys must be backed up to prevent data loss in the event of a system failure or disaster. Backup keys must be stored in a secure environment with the same level of protection as primary keys. Key recovery procedures must be implemented to ensure that cryptographic operations can be resumed in the event of key loss or corruption.

8. Key Management Audits:

Regular audits of cryptographic key management practices will be conducted to ensure compliance with this policy and identify any potential vulnerabilities. Audit logs must include details of key generation, distribution, rotation, and revocation activities. Audit findings must be reviewed by the IT security team, and any necessary corrective actions must be implemented to address gaps in key management.

9. User Training and Awareness:

All personnel involved in cryptographic key management must receive training on secure key management practices and the risks associated with key compromise. Ongoing training programs must be provided to ensure users are aware of the latest threats and best practices in key management.

10. Compliance with Legal and Regulatory Requirements:

This policy is aligned with the Data Privacy Act of 2012 and other relevant regulations in the Philippines concerning cryptographic key management. Pitaka will review and update key management practices regularly to remain compliant with changes in legal and regulatory frameworks.

11. Incident Reporting and Response:

Any incident involving the compromise or potential compromise of cryptographic keys must be reported immediately to the IT security team. The incident response team will investigate and mitigate the impact of the compromise, including key replacement and re-securing affected data and systems. Incidents will be documented and reviewed to improve future key management processes and policies.

12. Policy Enforcement:

Violations of this policy will result in disciplinary actions, including access revocation, employment termination, or legal consequences, depending on the severity of the violation. The IT security team is responsible for monitoring adherence to this policy and enforcing necessary security controls.

Purpose:​

Scope:​

Policy​

1. Key Generation:​

2. Key Storage:​

3. Key Distribution:​

4. Key Usage:​

5. Key Rotation and Expiration:​

6. Key Revocation and Destruction:​

7. Key Backup and Recovery:​

8. Key Management Audits:​

9. User Training and Awareness:​

10. Compliance with Legal and Regulatory Requirements:​

11. Incident Reporting and Response:​

12. Policy Enforcement:​